Jinran Du,Huajun Chen,Weijie Zhong,Zhen Liu,Aidong Xu

DOI: https://doi.org/10.1109/icsai.2018.8599356

2018-01-01

Abstract:With the rapid spread of wireless networks and 4G networks, the application of mobile intelligent terminals has become more and more widespread. At the same time, there are more and more malicious software for mobile terminals, especially for the Android platform. Aiming at the detection problem of Android malicious code, a dynamic and static combined Android malicious code detection model based on SVM was proposed. Firstly, the dynamic and static features of Android program are extracted. Then, these features were vectored, used for the training and testing of SVM (Support vector machine). As shown in the experiments, the correct detection rate of Android malware is as high as 94.38%, recall rate achieving 98.46%, proved the effectiveness of the method.

Tianliang Lu,Yanhui Du,Li Ouyang,Qiuyu Chen,Xirui Wang

DOI: https://doi.org/10.1155/2020/8863617

IF: 1.968

2020-08-28

Security and Communication Networks

Abstract:In recent years, the number of malware on the Android platform has been increasing, and with the widespread use of code obfuscation technology, the accuracy of antivirus software and traditional detection algorithms is low. Current state-of-the-art research shows that researchers started applying deep learning methods for malware detection. We proposed an Android malware detection algorithm based on a hybrid deep learning model which combines deep belief network (DBN) and gate recurrent unit (GRU). First of all, analyze the Android malware; in addition to extracting static features, dynamic behavioral features with strong antiobfuscation ability are also extracted. Then, build a hybrid deep learning model for Android malware detection. Because the static features are relatively independent, the DBN is used to process the static features. Because the dynamic features have temporal correlation, the GRU is used to process the dynamic feature sequence. Finally, the training results of DBN and GRU are input into the BP neural network, and the final classification results are output. Experimental results show that, compared with the traditional machine learning algorithms, the Android malware detection model based on hybrid deep learning algorithms has a higher detection accuracy, and it also has a better detection effect on obfuscated malware.

computer science, information systems,telecommunications

Tianshi Mu,Huajun Chen,Jinran Du,Aidong Xu

DOI: https://doi.org/10.1109/imcec46724.2019.8983860

2019-01-01

Abstract:With the in-depth development of the Internet industry, the mobile Internet has been effectively integrated into daily work. However, Android has many extremely serious security issues. In our work, we apply text classification technology to the detection of Android malware, based on the deep learning. We extract the Android malware API sequence based on the Cuckoo sandbox, and use the text processing technology to solve the detection problem of Android malware. To evaluating the performance of our system, we compared it with Dalvik based on the Bi-LSTM. The accuracy of API extraction method using Cuckoo is higher than Dalvik, reaching the accuracy of 96.74%. To further verify the effects of different models, we compared it with GRU, BGRU and LSTM using Cuckoo Sandbox as API extraction method. The result demonstrate the Bi-LSTM has the highest accuracy.

Panigrahi, Bhawani Sankar,Nagarajan, Nagabhooshanam,Prasad, Kanaka Durga Veera,Sathya,Salunkhe, Satish Sampatrao,Kumar, Pilli. Dharmendra,Kumar, Muthevi Anil

DOI: https://doi.org/10.1007/s11042-023-18097-5

IF: 2.577

2024-02-09

Multimedia Tools and Applications

Abstract:Malicious malware targeting Android systems has alarmingly increased due to the quick spread of Android devices. For these devices to be secure and to protect the private data of users, Android virus detection is essential. The selection of features, model performance, and efficiency are issues with existing Android malware detection techniques. To overcome these drawbacks, we suggest a unique method for identifying malicious Android data that combines Tree Seed Optimization with Support Vector Machines (TSO-SVM).TSO is a nature-inspired optimization technique that looks for the best feature subsets by simulating the tree's seed dispersal process. The efficiency and effectiveness of SVM-based classification are increased by our method's use of TSO to choose the most instructive features from the Android malware dataset. To normalize the features of the Android application dataset before training, we use a data-cleaning method known as Z-Score normalization. Our Android malware detection solution uses Independent Component Analysis (ICA) as a feature reduction method. Our test results show how well the TSO-SVM technique works at detecting Malicious Android data. In terms of accuracy, precision, recall, and F1-Score for malicious detection, the suggested model achieves 97.12%, 96.35%, 97.88%, and 96.84%, respectively. The proposed technique successfully solves the problem of suboptimal classification accuracy in the presence of dynamic and changing malware threats. The results of this work highlight the potential of TSO techniques for enhancing the security of Android-based devices and present a promising direction for further investigation in the area of mobile security.

computer science, information systems, theory & methods,engineering, electrical & electronic, software engineering

Bo FENG,Hang DAI,De-jun MU

DOI: https://doi.org/10.3969/j.issn.1673-629X.2014.02.036

2014-01-01

Abstract:In view of the flood situation for Android malware,propose a method of behavior-based dynamic malware detection. First,get a comprehensive collection of software run-time information,including system information and kernel calls. The kernel call sequences are truncated to fixed length. Second,form all the information as property and values. Taking information gain as an indicator,select proper-ties that have high information gain and different impact by applying the C4. 5 algorithm,and proportionally assign weighting factor to properties based on the size of the information gain. Finally,apply K-Nearest Neighbor algorithm to complete the process of machine learning,making the system identify malicious software that similar to the sample,and regard unknown types of software as suspected malware. The result of experiment shows that the method has a high true positive rate and low false positive rate. Moreover,the result can be further improved with the increase of the learning sample library.

Jiyun Yang,Jiang Tang,Ran Yan,Tao Xiang

DOI: https://doi.org/10.1049/cje.2020.00.217

IF: 1.019

2022-01-01

Chinese Journal of Electronics

Abstract:The dynamic code loading mechanism of the Android system allows an application to load executable files externally at runtime. This mechanism makes the development of applications more convenient, but it also brings security issues. Applications that hide malicious behavior in the external file by dynamic code loading are becoming a new challenge for Android malware detection. To overcome this challenge, based on dynamic code loading mechanisms, three types of threat models, i.e. Model I, Model II, and Model III are defined. For the Model I type malware, its malicious behavior occurs in DexCode, so the application programming interface (API) classes were used to characterize the behavior of the DexCode file. For the Model II type and Model III type malwares whose malicious behaviors occur in an external file, the permission complement is defined to characterize the behaviors of the external file. Based on permission complement and API calls, an Android malicious application detection method is proposed, of which feature sets are constructed by improving a feature selection method. Five datasets containing 15,581 samples are used to evaluate the performance of the proposed method. The experimental results show that our detection method achieves accuracy of 99.885% on general dataset, and performes the best on all evaluation metrics on all datasets in all comparison methods.

Zhiyao Yang,Xu Yang,Heng Zhang,Haipeng Jia,Mingliang Zhou,Qin Mao,Cheng Ji,Xuekai Wei

DOI: https://doi.org/10.1142/s0218126623502997

2023-01-01

Abstract:Most of the existing static analysis-based detection methods adopt one or few types of typical static features for avoiding the problem of dimensionality and computational resource consumption. In order to further improve detecting accuracy with reasonable resource consumption, in this paper, a new Android malware detection model based on multiple features with feature selection method and feature vectorization method are proposed. Feature selection method for each type of features reduces the dimensionality of feature set. Weight-based feature vectorization method for API calls, intent and permission is designed to construct feature vector. Co-occurrence matrix-based vectorization method is proposed to vectorize opcode sequence. To demonstrate the effectiveness of our method, we conducted comprehensive experiments with a total of 30,000 samples. Experimental results show that our method outperforms state-of-the-art methods.

Vinisha Malik*,Sandip Kumar Goyal,Naveen Malik,,,

DOI: https://doi.org/10.35940/ijitee.k2250.1081219

2019-10-10

International Journal of Innovative Technology and Exploring Engineering

Abstract:Android malware have risen exponentially over the past few years, posing several serious threats such as system damage, financial loss, and mobile botnets. Various detection techniques have been proposed in the literature for Android malware detection. Some of the techniques analyze static parameters such as permissions, or intents, whereas, others focus on dynamic parameters such as network traffic or system calls. Static techniques are relatively easier to implement, however, stealthy recent malware evade static detection by virtue of update attacks. Dynamic detection can be used to detect such stealthy malware, however, it increases the computation overhead. Hence, both kinds of techniques have their own advantages and disadvantages. In this paper, we have proposed an innovative hybrid detection model that uses both static and dynamic features for malware analysis and detection. We first rank the static and dynamic parameters according to the information gain and then apply machine learning algorithms in the testing phase. The results indicate that hybrid approach is better than both static and dynamic approaches and the proposed model achieves 98.9% detection accuracy with Decision Tree classifier

Yizhao Huang,Xingwei Li,Meng Qiao,Ke Tang,Chunyan Zhang,Hairen Gui,Panjie Wang,Fudong Liu

DOI: https://doi.org/10.3390/electronics11050672

IF: 2.9

2022-02-22

Electronics

Abstract:Currently, among the millions of Android applications, there exist numerous malicious programs that pose significant threats to people’s security and privacy. Therefore, it is imperative to develop approaches for detecting Android malware. Recently developed malware detection methods usually rely on various features, such as application programming interface (API) sequences, images, and permissions, thereby ignoring the importance of source code and the associated comments, which are not usually included in malware. Therefore, we propose Android-SEM, which is an Android source code semantic enhancement model based on transfer learning. Our proposed model is built upon the Transformer architecture to achieve a pretraining framework for generating code comments from malware source code. The performance of the pretraining framework is optimized using a generative adversarial network. Our proposed model relies on a novel regression model-based filter to retain high-quality comments and source code for feature fusion pertinent to semantic enhancement. Creatively, and contrary to conventional methods, we incorporated a quantum support vector machine (QSVM) for classifying malicious Android code by combining quantum machine learning and classical deep learning models. The results proved that Android-SEM achieves accuracy levels of 99.55% and 99.01% for malware detection and malware categorization, respectively.

engineering, electrical & electronic,computer science, information systems,physics, applied

Ali Muzaffar,Hani Ragab Hassen,Hind Zantout,Michael A Lones

2024-08-26

Abstract:The popularity of Android means it is a common target for malware. Over the years, various studies have found that machine learning models can effectively discriminate malware from benign applications. However, as the operating system evolves, so does malware, bringing into question the findings of these previous studies, many of which report very high accuracies using small, outdated, and often imbalanced datasets. In this paper, we reimplement 18 representative past works and reevaluate them using a balanced, relevant, and up-to-date dataset comprising 124,000 applications. We also carry out new experiments designed to fill holes in existing knowledge, and use our findings to identify the most effective features and models to use for Android malware detection within a contemporary environment. We show that high detection accuracies (up to 96.8%) can be achieved using features extracted through static analysis alone, yielding a modest benefit (1%) from using far more expensive dynamic analysis. API calls and opcodes are the most productive static and TCP network traffic provide the most predictive dynamic features. Random forests are generally the most effective model, outperforming more complex deep learning approaches. Whilst directly combining static and dynamic features is generally ineffective, ensembling models separately leads to performances comparable to the best models but using less brittle features.

Machine Learning,Cryptography and Security

Hanqing Zhang,Senlin Luo,Yifei Zhang,Limin Pan

DOI: https://doi.org/10.1109/access.2019.2919796

IF: 3.9

2019-01-01

IEEE Access

Abstract:According to the recent report, 12 000 new Android malware samples will be generated every day. Efficient identification of evolving malware is an urgent challenge. Traditional methods based on structured features such as permissions and sensitive application programming interface (API) calls lack high-level behavioral semantics to detect evolving malware. The methods based on call graphs (CG) are good at behavioral semantic analysis but face the problem of huge time and space consumption, which leads to low detection efficiency. In this paper, we propose a novel Android malware detection method based on the method-level correlation relationship of application's abstracted API calls. First, we split each Android application's source code into separate function methods and just keep the abstracted API calls of them to form a set of abstracted API calls transactions. And then, we calculate the confidence of association rules between the abstracted API calls, which forms behavioral semantics to describe an application. Finally, we combine machine learning to identify the different behavioral patterns of malicious and benign apps to build the detection system. The results of our empirical evaluation show our system is competitive in terms of classification accuracy and detection efficiency. At dataset Drebin (benign 5.9K and malware 5.6K) and AMD (benign 20.5K and malware 20.8K), our system has achieved 96% and 98% detection results both in accuracy and F-measure. Compared with the state-of-the-art system in detecting evolving malware called MaMaDroid on the dataset of 6.0K benign and 20.5K malicious samples spanning from 2010 to 2017, our system achieves higher accuracy while improving detection efficiency by 15 times (2.9 s versus 45.7 s per sample).

Safayat Bin Hakim,Muhammad Adil,Kamal Acharya,Houbing Herbert Song

2024-09-28

Abstract:The escalating sophistication of Android malware poses significant challenges to traditional detection methods, necessitating innovative approaches that can efficiently identify and classify threats with high precision. This paper introduces a novel framework that synergistically integrates an attention-enhanced Multi-Layer Perceptron (MLP) with a Support Vector Machine (SVM) to make Android malware detection and classification more effective. By carefully analyzing a mere 47 features out of over 9,760 available in the comprehensive CCCS-CIC-AndMal-2020 dataset, our MLP-SVM model achieves an impressive accuracy over 99% in identifying malicious applications. The MLP, enhanced with an attention mechanism, focuses on the most discriminative features and further reduces the 47 features to only 14 components using Linear Discriminant Analysis (LDA). Despite this significant reduction in dimensionality, the SVM component, equipped with an RBF kernel, excels in mapping these components to a high-dimensional space, facilitating precise classification of malware into their respective families. Rigorous evaluations, encompassing accuracy, precision, recall, and F1-score metrics, confirm the superiority of our approach compared to existing state-of-the-art techniques. The proposed framework not only significantly reduces the computational complexity by leveraging a compact feature set but also exhibits resilience against the evolving Android malware landscape.

Cryptography and Security,Machine Learning

Nan Zhang,Jingfeng Xue,Yuxi Ma,Ruyun Zhang,Tiancai Liang,Yu-an Tan

DOI: https://doi.org/10.1002/int.22529

IF: 8.993

2021-01-01

International Journal of Intelligent Systems

Abstract:Android platform has been the target of attackers due to its openness and increasing popularity. Android malware has explosively increased in recent years, which poses serious threats to Android security. Thus proposing efficient Android malware detection methods is curial in defeating malware. Various features extracted from static or dynamic analysis using machine learning have played an important role in malware detection recently. However, existing code obfuscation, code encryption, and dynamic code loading techniques can be employed to hinder systems that single based on static analysis, purely dynamic analysis systems cannot detect all potential code execution paths. To address these issues, we propose CoDroid, a sequence‐based hybrid Android malware detection method, which utilizes the sequences of static opcode and dynamic system call. We treat one sequence as a sentence in the natural language processing and construct a CNN–BiLSTM–Attention classifier which consists of Convolutional Neural Networks (CNNs), the Bidirectional Long Short‐Term Memory (BiLSTM) with an attention language model. We extensively evaluate CoDroid under a real‐world data set and perform comprehensive analysis against other existing related detection methods. The evaluations show the effectiveness and flexibility of CoDroid across a variety of experimental settings.

Haipeng Zhang,Shudong Li,Xiaobo Wu,Weihong Han,Laifu Wang

DOI: https://doi.org/10.1109/DSC53577.2021.00100

2021-01-01

Abstract:With the popularity of smartphones, android quickly occupied the market, and at the same time, millions of android malware increase every year, which caused great losses to users. so it's crucial to detect unknown android malware efficiently before install it. Machine learning has achieved outstanding performance in many fields, and so does android malware detection. Nowadays, many methods of detecting android malware based on machine learning have been proposed. These methods can be classified as dynamic analysis, static analysis, and hybrid analysis according to what kind of features they use. the dynamic analysis will waste a lot of time because it requires running software. What's more, it's hard to get all malicious behaviors because of Anti-Sandbox technology, which means malware might change its behavior to avoid detecting when malware is running in Sandbox. In this paper, we proposed a new android malware detection approach using multi-features and <tex xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">$TF-IDF$</tex> algorithm. The static features we use cover permissions and API calls of each android application and the size of the android application package. We used BOW(bag of words) to process permission feature, standardization to process packages size feature, and <tex xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">$TF-IDF$</tex> algorithm to handle API calls features. Machine-learning algorithms including AdaBoost, LinearSVC, GaussianNB are used for Classification. The experimental results on public datasets demonstrated our system could detect android malware efficiently.

Xiao Xi,Xiao Xianni,Jiang Yong,Li Qing

DOI: https://doi.org/10.1007/978-3-319-23829-6_35

2014-01-01

Abstract:With the rapid development of Android devices, mobile malware in Android becomes more prevalent. Therefore, it is rather important to develop an effective model for malware detection. Permissions, system calls, and control flow graphs have been proved to be important features in detection. In this paper, we utilize both static and dynamic strategies with a text classification method, TMSVM, to identify the mobile malware in these three aspects. At first, features have to be selected. Since the sum of control flow graphs is very large, Chi-Square method is used to get the key graphs. Then features are transformed into vectors and TMSVM is subsequently applied to get the classification result. In the static method, we firstly analyze permissions and control flow graphs respectively and then think of the combination of them. In the dynamic method, the system calls are considered. At last, based on the results of the static method and dynamic method, a hybrid classification model of three layers classification is proposed. Compared with the other methods, our method increases the TPR and decreases the FPR.

Hui-Juan Zhu,Zhu-Hong You,Ze-Xuan Zhu,Wei-Lei Shi,Xing Chen,Li Cheng

DOI: https://doi.org/10.1016/j.neucom.2017.07.030

IF: 6

2018-01-01

Neurocomputing

Abstract:The Android platform is becoming increasingly popular and various organizations have developed a variety of applications (App) to cater to market trends. Due to the characteristics of the Android platform, such as supporting the unofficial App stores, open source policy and the great tolerance for App verification, it is inevitable that it faces serious problems of malicious software intrusion. In order to protect the users from the serious damages caused by Android malware, we propose a low-cost and high-efficient method to extract permissions, sensitive APIs, monitoring system events and permission-rate as key features, and employ the ensemble Rotation Forest (RF) to construct a model to detect whether an Android App is malicious or not. Specifically, a dataset containing 2,130 samples is used to verify the performance of the proposed method. The experimental results show that the proposed method achieves an high accuracy of 88.26% with 88.40% sensitivity at the precision of 88.16%. To further evaluate the performance of the proposed model, we also compare it with the state-of-the-art Support Vector Machine (SVM) model under the same experimental conditions, and the comparison results demonstrate that the proposed method improves the accuracy by 3.33% compared to SVM. The experimental results show that the proposed model is extremely promising and could provide a cost-effective alternative for Android malware detection. (C) 2017 Elsevier B.V. All rights reserved.

Xi Xiao,Peng Fu,Xianni Xiao,Yong Jiang,Qing Li,Runiu Lu

DOI: https://doi.org/10.1109/iccsnt.2015.7490915

2015-01-01

Abstract:Malware in Android has enjoyed a prevalence as Android has taken up a primary market in the mobile devices. In this paper, Adaptive Regularization Of Weights (AROW) and Support Vector Machine (SVM) are used to identify malware with both the static and dynamic analysis. Permissions, control flow graphs and system calls are taken as the application's classification features. Single features, the combination of permissions and control flow graphs, and the combination of the three features are all analyzed thoroughly. Compared with the previous work, AROW and SVM with the combination of the features could increase the TPR and decrease the FPR. Furthermore, the results of AROW and SVM are profoundly evaluated in this paper. As regard to the single features, SVM could perform better with the feature of permissions or system calls, while AROW provides a better result with control flow graphs. For the combination of the features, AROW gives a better result than SVM.

Zhuo Ma,Haoran Ge,Zhuzhu Wang,Yang Liu,Ximeng Liu

DOI: https://doi.org/10.48550/arXiv.2002.03594

2020-02-10

Cryptography and Security

Abstract:Android malware detection is a critical step towards building a security credible system. Especially, manual search for the potential malicious code has plagued program analysts for a long time. In this paper, we propose Droidetec, a deep learning based method for android malware detection and malicious code localization, to model an application program as a natural language sequence. Droidetec adopts a novel feature extraction method to derive behavior sequences from Android applications. Based on that, the bi-directional Long Short Term Memory network is utilized for malware detection. Each unit in the extracted behavior sequence is inventively represented as a vector, which allows Droidetec to automatically analyze the semantics of sequence segments and eventually find out the malicious code. Experiments with 9616 malicious and 11982 benign programs show that Droidetec reaches an accuracy of 97.22% and an F1-score of 98.21%. In all, Droidetec has a hit rate of 91% to properly find out malicious code segments.

Rajesh Kumar,Zhang Xiaosong,Riaz Ullah Khan,Jay Kumar,Ijaz Ahad

DOI: https://doi.org/10.1145/3194452.3194465

2018-01-01

Abstract:The across the board reception of android devices and their ability to get to critical private and secret data have brought about these devices being focused by malware engineers. Existing android malware analysis techniques categorized into static and dynamic analysis. In this paper, we introduce two machine learning supported methodologies for static analysis of android malware. The First approach based on statically analysis, content is found through probability statistics which reduces the uncertainty of information. Feature extraction were proposed based on the analysis of existing dataset. Our both approaches were used to high-dimension data into low-dimensional data so as to reduce the dimension and the uncertainty of the extracted features. In training phase the complexity was reduced 16.7% of the original time and detect the unknown malware families were improved.

Zhenlong Yuan,Yongqiang Lu,Zhaoguo Wang,Yibo Xue

DOI: https://doi.org/10.1145/2740070.2631434

IF: 1.937

2014-01-01

ACM SIGCOMM Computer Communication Review

Abstract:As smart:phones and mobile devices are rapidly becoming indispensable for many network users, mobile malware has become a serious threat in the network security and privacy. Especially on the popular Android platform, many malicious apps are hiding in a large number of normal apps, which makes the malware detection more challenging. In this paper, we propose a ML-based method that utilizes more than 200 features extracted from both static analysis and dynamic analysis of Android app for malv -are detection. The comparison of modeling results demonstrates that the deep learning technique is especially suitable for Android mahvare detection and can achieve a high level of 96% accuracy with real-world Android application sets.